Full video of my thought process/research for this walkthrough below. I started the recording during the final task even though the earlier tasks had some challenging scenarios. However, most of the room was read and click done.
All questions and answers beneath the video.
Format:
Question
Answer
Task 4: Cutting out the Noise
How many event ID 3 events are in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx?
73,591
What is the UTC time created of the first network event in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx?
2021–01–06 01:35:50.464
Task 10: Practical Investigation
What is the full registry key of the USB device calling svchost.exe in Investigation 1?
HKLM\System\CurrentControlSet\Enum\WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_8.01#4054910EF19005B3&0#\FriendlyName
What is the device name when being called by RawAccessRead in Investigation 1?
\Device\HarddiskVolume3
What is the first exe the process executes in Investigation 1?
rundll32.exe
What is the full path of the payload in Investigation 2?
C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta
What is the full path of the file the payload masked itself as in Investigation 2?
C:\Users\IEUser\Downloads\update.html
What signed binary executed the payload in Investigation 2?
C:\Windows\System32\mshta.exe
What is the IP of the adversary in Investigation 2?
10.0.2.18
What back connect port is used in Investigation 2?
4443
What is the IP of the suspected adversary in Investigation 3.1?
172.30.1.253
What is the hostname of the affected endpoint in Investigation 3.1?
DESKTOP-O153T4R
What is the hostname of the C2 server connecting to the endpoint in Investigation
3.1?
empirec2
Where in the registry was the payload stored in Investigation 3.1?
HKLM\SOFTWARE\Microsoft\Network\debug
What PowerShell launch code was used to launch the payload in Investigation 3.1?
“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -c “$x=$((gp HKLM:Software\Microsoft\Network debug).debug);start -Win Hidden -A \”-enc $x\” powershell”;exit;What is the IP of the adversary in Investigation 3.2?
What is the full path of the payload location in Investigation 3.2?
c:\users\q\AppData:blah.txt
What was the full command used to create the scheduled task in Investigation 3.2?
“C:\WINDOWS\system32\schtasks.exe” /Create /F /SC DAILY /ST 09:00 /TN Updater /TR “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \”IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String($(cmd /c ‘’more < c:\users\q\AppData:blah.txt’’’))))\””
What process was accessed by schtasks.exe that would be considered suspicious behavior in Investigation 3.2?
lsass.exe
What is the IP of the adversary in Investigation 4?
172.30.1.253
What port is the adversary operating on in Investigation 4?
80
What C2 is the adversary utilizing in Investigation 4?
Empire
